Copy Namespace Labels

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: copy-namespace-labels
 5  annotations:
 6    policies.kyverno.io/title: Copy Namespace Labels
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Deployment, Label, Namespace
10    kyverno.io/kyverno-version: 1.11.1
11    kyverno.io/kubernetes-version: "1.27"
12    policies.kyverno.io/description: >-
13      It is common for Namespaced resources to need access to labels which have been assigned
14      to the Namespace in which they reside. This policy demonstrates two different ways of
15      assigning Namespace labels to a Deployment. The first method copies only the `owner` label
16      while the second copies all labels except for `kubernetes.io/metadata.name`.
17spec:
18  rules:
19  - name: owner-label-deployment-from-ns
20    match:
21      any:
22      - resources:
23          kinds:
24          - Deployment
25          operations:
26          - CREATE
27    context:
28      - name: owner
29        apiCall:
30          urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}"
31          jmesPath: metadata.labels.owner || 'empty'
32    mutate:
33      patchStrategicMerge:
34        metadata:
35          labels:
36            owner: "{{ owner }}"
37  - name: all-label-deployment-from-ns
38    match:
39      any:
40      - resources:
41          kinds:
42          - Deployment
43          operations:
44          - CREATE
45    context:
46      - name: alllabels
47        apiCall:
48          urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}"
49          jmesPath: metadata.labels | merge(@, {"kubernetes.io/metadata.name":null})
50    mutate:
51      patchStrategicMerge:
52        metadata:
53          labels:
54            "{{ alllabels }}"